红帽全球峰会5.4. Configuring a Red Hat Satellite Capsule Server
Prerequisite
You must meet the following conditions before continuing on this task:
- Install the Red Hat Satellite Server.
- Set the SELinux permissions on the system designated as the Satellite Capsule Server as enforcing.
The following procedures configure a Satellite Capsule Server for use with your Red Hat Satellite Server. This includes the following types of Satellite Capsule Servers:
- Satellite Capsule Server with Smart Proxy
- Satellite Capsule Server as a Content Node
- Satellite Capsule Server as a Content Node with Smart Proxy
To configure a Satellite Capsule Server:
- On the Satellite Server:
- Generate a Satellite Capsule Server certificate:
capsule-certs-generate --capsule-fqdn capsule_FQDN --certs-tar ~/capsule.example.com-certs.tar
capsule-certs-generate --capsule-fqdn capsule_FQDN --certs-tar ~/capsule.example.com-certs.tarCopy to Clipboard Copied! Toggle word wrap Toggle overflow Where:capsule_FQDNis the Satellite Capsule Server's fully qualified domain name. (REQUIRED)certs-taris the name of the tar file to be generated that contains the certificate to be used by the Satellite Capsule installer.
Runningcapsule-certs-generatewill generate the following output message:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
- On the Satellite Capsule Server:
- Register your Satellite Capsule Server to the Satellite Server:
rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm subscription-manager register --org "Default Organization" --env [environment]/[content_view_name]
# rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm # subscription-manager register --org "Default Organization" --env [environment]/[content_view_name]Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note
The Satellite Capsule Server must be assigned to an organization as the Satellite Capsule Server requires an environment to synchronize content from the Satellite Server. Only organizations have environments.Assigning a location is optional though recommended to indicate proximity to the hosts that the Satellite Capsule Server is managing. - Depending on the desired Satellite Capsule Server type, choose one of the following options:
- Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Option 2 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- Run the following commands to configure the firewall to limit elasticsearch to the
foreman,katelloand root users and make these rules persistent during reboots:- For Red Hat Enterprise Linux 6:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - For Red Hat Enterprise Linux 7:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Note
If the configuration is successful, run this command as the root user on the Satellite Capsule Server:
echo $?
# echo $?
This command should return a "0" to indicate success. If it does not, check
/var/log/kafo to debug the cause of failure. /var/log/kafo is the log file for the output generated by the commands capsule-certs-generate and capsule-installer.
The Satellite Capsule Server should also appear in the Satellite Server's User Interface under
Result:
The Satellite Capsule Server is now configured and registered with the Satellite Server.
katello-installer comes with a default CA used both for the server ssl certificates as well as the client certificates used for authentication of the subservices. These certificates can be replaced with custom ones.
There are two instances wherein you can configure the Satellite Capsule Server to use a custom CA certificate:
- When
capsule-certs-generateis run the first time - After
capsule-certs-generatehas already been run
Procedure 5.2. Setting a Custom Server Certificate while running capsule-certs-generate for the first time
- Run this command on the Red Hat Satellite Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Where:capsule_FQDNis the Satellite Capsule Server's fully qualified domain name. (REQUIRED)certs-taris the name of the tar file to be generated that contains the certificate to be used by the Satellite Capsule installer.server-certis the path to your certificate, signed by your certificate authority (or self signed)server-cert-reqis the path to your certificate signing request file that was used to create the certificate.server-keyis the private key used to sign the certificateserver-ca-cert~/path/to/cacert.crt the path to the CA certificate on this system.
- Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
- On the Satellite Capsule Server:
- Register your Satellite Capsule Server to the Satellite Server:
rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm subscription-manager register --org "ACME_Corporation" --env [environment]/[content_view_name]
# rpm -Uvh http://sat6host.example.redhat.com/pub/katello-ca-consumer-latest.noarch.rpm # subscription-manager register --org "ACME_Corporation" --env [environment]/[content_view_name]Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note
The Satellite Capsule Server must be assigned to an organization as the Satellite Capsule Server requires an environment to synchronize content from the Satellite Server. Only organizations have environments.Assigning a location is optional though recommended to indicate proximity to the hosts that the Satellite Capsule Server is managing. - Depending on the desired Satellite Capsule Server type, choose one of the following options:
- Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Option 2 - Satellite Capsule Server as a Content Node: This installs a Satellite Capsule Server with content management features and a Puppet Master. Run the following commands as the root user on the Satellite Capsule Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Option 3 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure 5.3. Setting a Custom Server Certificate after running capsule-certs-generate
Using custom server certificates for the Satellite Server means that the same custom server certificates need to be deployed in the Satellite Capsule Servers. Each Satellite Capsule Server will require the following steps:
- Generate a new certificate based on your custom server certificate:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy the generated tarball, capsule.example.com-certs.tar, from the Satellite Server to the Satellite Capsule host system.
- On the Satellite Capsule Server, re-run the capsule-installer command to refresh the certificates. Depending on the desired Satellite Capsule Server type, choose one of the following options:
- Option 1: Satellite Capsule Server with Smart Proxy: This installs a Satellite Capsule Server with Smart Proxy features (DHCP, DNS, Puppet). Run the following commands as the root user on the Satellite Capsule Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Option 2 - Satellite Capsule Server as a Content Node: This installs a Satellite Capsule Server with content management features and a Puppet Master. Run the following commands as the root user on the Satellite Capsule Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Option 3 - Satellite Capsule Server as a Content Node with Smart Proxy: This installs a Satellite Capsule Server with all the features. Run the following commands as the root user on the Satellite Capsule Server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Important
Use the same custom server certificate on both the Red Hat Satellite Server and the Red Hat Satellite Capsule Server to ensure that the trusted relationship between the two hosts is maintained.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}